Monday, February 21, 2011

Ghostintheshellcode Stage 14 TootsieRoll Packet 175 pts

Stage 14
Question: TootsieRoll
175 Points
What is the password?

File: tootsieroll-4fafc83198440078a616080e3d44419c

carl@b:~/tootsie$ file tootsieroll-4fafc83198440078a616080e3d44419c
tootsieroll-4fafc83198440078a616080e3d44419c: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)

Dump the payloads with tcpflow:

carl@b:~/tootsie$ tcpflow -r tootsieroll-4fafc83198440078a616080e3d44419c
carl@b:~/tootsie$ ls -al
-rw-r--r--  1 carl carl   180 2011-02-21 16:20 127.000.000.001.01337-127.000.000.001.50451
-rw-r--r--  1 carl carl   676 2011-02-21 16:20 127.000.000.001.50451-127.000.000.001.01337

carl@b:~/tootsie$ file 127*
127.000.000.001.01337-127.000.000.001.50451: ASCII text, with no line terminators
127.000.000.001.50451-127.000.000.001.01337: ASCII text, with very long lines, with no line terminators

carl@b:~/tootsie$ more 127.000.000.001.01337-127.000.000.001.50451
WGB6bWljNw==UWd9KHxgYWZjKHxgbXEvem0ob2dhZm8ofGcoan17fCh9ezc=XGBtKHhpe3t/Z3psKHxgaXwoe3xpenx7KH9hfGAoNGNtcTZdO0pkUTpkYGpLSkpS
Ol59bEs0J2NtcTYkKGp9fChhKG5nem9nfCh8YG0oem17fDc=R2YoYXwp

carl@b:~/tootsie$ more 127.000.000.001.50451-127.000.000.001.01337
R2p2Iy9meyh8L2JqIQ==RihiL2l9am5kZmFoLi9FYGp2L3hufGEoey9ibmRmYWgvZnsven8uL0dqL31qbmNjdi9nbmxkamsvZmF7YC9KY2NmYWh8YGEuL0dqL2hu
eWovYmove2dqL2tmfGwveGZ7Zy9uL2lmY2ovZ2ovbGB/ZmprL25hay9hYHgvRihiL2ZhL2VuZmMuL1tnanYofWovbGdufWhmYWgvYmoveGZ7Zy98YGJqL3xqfWZg
enwvfGdmey4vTmFrL3tnan1qKHwvfHt6aWkvRi9rZmthKHsvanlqYS9rYCMvY2Zkai9mYXxqfXtmYWgvfGBiai95Zn16fC9sbmNjamsvS24vWWZhbGYjL25hay97
Z2p2L2Rqan8vbnxkZmFoL25tYHp7L3Zgei9oenZ8IQ==VmpuZy4vVmB6L21qe3tqfS9pZmh6fWovYHp7L3hnbnsofC9gYS97Z257L2tmfGwjL2xuenxqL3hqKH1q
L21qZmFoL2l9bmJqayEvRnsofC9mYS97Z257L39jbmxqL3hnan1qL0Yvf3p7L3tnbnsve2dmYWgve2duey97ZmJqL3hme2cve2duey9/bnx8eGB9ay4=S3pnIy9m
ey9qYWt8L3hme2c1LzNkanYxTnZCW0Z7QVtaPkNbZD9AW14yMyBkanYx

Looks like base64: 

carl@b:~/tootsie$ cat 127.000.000.001.50451-127.000.000.001.01337 | base64 -d
Gjv#/f{(|/bj!F(b/i}jndfah./E`jv/xn|a({/bndfah/f{/./Gj/}jnccv/gnldjk/fa{`/Jccfah|`a./Gj/hnyj/bj/{gj/kf|l/xf{g/n/ifcj/gj/lfjk/nak/a`x/F(b/fa/enfc./[gjv(}j/lgn}hfah/bj/xf{g/|`bj/|j}f`z|/|gf{./Nak/{gj}j(|/|{zii/F/kfka({/jyja/k`#/cfdj/fa|j}{fah/|`bj/yf}z|/lnccjk/Kn/Yfalf#/nak/{gjv/dj/n|dfah/nm`z{/v`z/hzv|!Vjng./V`z/mj{{j}/ifhz}j/`z{/xgn{(|/`a/{gn{/kf|l#/lnz|j/xj(}j/mjfah/i}nbjk!/F{(|/fa/{gn{cnlj/xgj}j/Fz{/{gn{/{gfah/{gn{/{fbj/xf{g/{gn{n||x`}k.Kzg#/f{/jak|/xf{g5/3djv1NvB[F{A[Z>C[d?@[^23 djv1carl@b:~/tootsie$ cat 12ls -al^C
carl@b:~/tootsie$ cat 127.000.000.001.01337-127.000.000.001.50451 | base64 -d
X`zmic7Qg}(|`afc(|`mq/zm(ogafo(|g(j}{|(}{7\`m(xi{gzl(|`i|({|iz|{a|`(4cmq6];JdQ:d`jKJJR:^}lK4'cmq6$(j}|(a(ngzog|(|`m(zm{|7Gf(a|)carl@b:~/tootsie$ cat 127.000.000.001.50451-127.000.000.001.01337 | base64 -d > file.out
carl@b:~/tootsie$ cat 127.000.000.001.01337-127.000.000.001.50451 | base64 -d > file2.out

XOR is pretty common.  Didier Stevens tool XORSearch makes it easy to look for text that might be XORed.  You can find it here: http://blog.didierstevens.com/programs/xorsearch/
The word "pass" was a lucky first guess:

carl@b:~/tootsie$ xorsearch file.out pass
Found XOR 0F position 01BD: password!Duh, it ends with: AyMTItNTU1LTk0OTQ
carl@b:~/tootsie$ xorsearch file2.out pass
Found XOR 08 position 002E: password that starts with U3BlY2lhbCBBZ2VudC<

Cat those two strings together and you get a base64 encoded string that you can decode:

carl@b:~/tootsie$ echo "U3BlY2lhbCBBZ2VudCAyMTItNTU1LTk0OTQ" | base64 -d
Special Agent 212-555-9494

The key is "Special Agent 212-555-9494"
Posted by at No comments:

Ghostintheshellcode Stage 1 apd Forensics 100pts

Stage 1
Question: apd
100 Points

Who?
File:apd-d54c4e84df46239dd

carl@b:~/apd/$ file apd-d54c4e84df46239ddd453f19909468c3
apd-d54c4e84df46239ddd453f19909468c3: gzip compressed data, from Unix, last modified: Sun Dec 26 14:06:22 2010

carl@b:~/apd/$ tar zxf apd-d54c4e84df46239ddd453f19909468c3

carl@b:~/apd/$ ls -al | more
total 9668
drwxr-xr-x 2 carl carl   20480 2011-02-21 15:36 .
drwxr-xr-x 3 carl carl   20480 2011-02-21 15:34 ..
-rw-r--r-- 1 carl carl   19354 2010-12-26 14:06 0002abbac6e704c7196509c2bdfc61c6
-rw-r--r-- 1 carl carl   19772 2010-12-26 14:06 01149038c6aac54204c2850f5f8104c9
-rw-r--r-- 1 carl carl   19772 2010-12-26 14:06 01bf66971ba7601dc9bd99b2e9c38c90
-rw-r--r-- 1 carl carl   19354 2010-12-26 14:06 023326ab4a8cbcc4494485bb2d4997c9
-rw-r--r-- 1 carl carl   19355 2010-12-26 14:06 0390f811e8ed5846d3cac7f8b4c8ad23
-rw-r--r-- 1 carl carl   19772 2010-12-26 14:06 03ced4264f06a6e2a35e5fa950bece65
-rw-r--r-- 1 carl carl   19354 2010-12-26 14:06 04869a26051364f0c308eefd562ab8e4
-rw-r--r-- 1 carl carl   19354 2010-12-26 14:06 06966a475ca30d06421f1e662dad4fda
-rw-r--r-- 1 carl carl   19354 2010-12-26 14:06 08bf0534c5168bfc2e020269e90bf9b3
-rw-r--r-- 1 carl carl   19355 2010-12-26 14:06 09aa52fff54918a33c397e44efcf4339
-rw-r--r-- 1 carl carl   19354 2010-12-26 14:06 09ed6bd70d00ef97e6a4c8bc89249613

[...]

MP3s.. rock out!

carl@b:~/apd/$ file *
0002abbac6e704c7196509c2bdfc61c6:     MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, Stereo
01149038c6aac54204c2850f5f8104c9:     MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, Stereo
01bf66971ba7601dc9bd99b2e9c38c90:     MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, Stereo
023326ab4a8cbcc4494485bb2d4997c9:     MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, Stereo
0390f811e8ed5846d3cac7f8b4c8ad23:     MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, Stereo
03ced4264f06a6e2a35e5fa950bece65:     MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, Stereo
04869a26051364f0c308eefd562ab8e4:     MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, Stereo
06966a475ca30d06421f1e662dad4fda:     MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, Stereo
08bf0534c5168bfc2e020269e90bf9b3:     MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, Stereo
09aa52fff54918a33c397e44efcf4339:     MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, Stereo
09ed6bd70d00ef97e6a4c8bc89249613:     MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, Stereo
0bfc1634806148c28b7a375b85b95e44:     MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, Stereo
[...]

So obviously we had a bunch of really short mp3s.  It was obvious they were spliced up from the same sample.  So, we had to reconstruct them. Lets check the metadata:

carl@b:~/apd/$ exiftool 107deef8d71148a6f2d27d82918fd5fe
ExifTool Version Number         : 8.15
File Name                       : 107deef8d71148a6f2d27d82918fd5fe
Directory                       : .
File Size                       : 19 kB
File Modification Date/Time     : 2010:12:26 14:06:20-05:00
File Permissions                : rw-r--r--
File Type                       : MP3
MIME Type                       : audio/mpeg
MPEG Audio Version              : 1
Audio Layer                     : 3
Audio Bitrate                   : 128000
Sample Rate                     : 44100
Channel Mode                    : Stereo
MS Stereo                       : Off
Intensity Stereo                : Off
Copyright Flag                  : False
Original Media                  : True
Emphasis                        : None
ID3 Size                        : 128
Title                           : R2hvc3RJblRoZVNoZWxsY29kZSAK
Artist                          : VElNRTogMTQ6MDY6MjAK
Album                           : V2UgYXJlIHdhdGNoaW5nIHlvdSAK
Year:
Comment                         : R2l0cy0wNDUK
Genre                           : None
Date/Time Original              :
Duration                        : 1.20 s (approx)

Title, Artist, Album and Comment are all encoded.  They happen to be base64. Looking at all of the files, the Title and Album are the same.  The artist varies only slightly.

carl@b:~/apd/$ exiftool * | grep Title | sort | uniq -c
    250 Title                           : R2hvc3RJblRoZVNoZWxsY29kZSAK

carl@b:~/apd/$ echo "R2hvc3RJblRoZVNoZWxsY29kZSAK" | base64 -d
GhostInTheShellcode

carl@b:~/apd/$ exiftool * | grep Album | sort | uniq -c
    250 Album                           : V2UgYXJlIHdhdGNoaW5nIHlvdSAK


carl@b:~/apd/$ echo "V2UgYXJlIHdhdGNoaW5nIHlvdSAK" | base64 -d
We are watching you

carl@b:~/apd/$ exiftool * | grep Artist | sort | uniq -c
     91 Artist                          : VElNRTogMTQ6MDY6MjAK
     94 Artist                          : VElNRTogMTQ6MDY6MjEK
     22 Artist                          : VElNRTogMTQ6MDY6MjIK
     43 Artist                          : VElNRTogMTQ6MDY6MTkK

carl@b:~/apd/$ echo "VElNRTogMTQ6MDY6MjAK" | base64 -d
TIME: 14:06:20
carl@b:~/apd/$ echo "VElNRTogMTQ6MDY6MjEK" | base64 -d
TIME: 14:06:21
carl@b:~/apd/$ echo "VElNRTogMTQ6MDY6MjIK" | base64 -d
TIME: 14:06:22
carl@b:~/apd/$ echo "VElNRTogMTQ6MDY6MTkK" | base64 -d
TIME: 14:06:19

Though the comments are all different:

carl@b:~/apd/$ for i in `ls`; do exiftool $i | grep Comment; done
Comment                         : R2l0cy0wNTcK
Comment                         : R2l0cy0wMjEK
Comment                         : R2l0cy0yMDAK
Comment                         : R2l0cy0wNDMK
Comment                         : R2l0cy0yNDEK
Comment                         : R2l0cy0wNTkK
Comment                         : R2l0cy0wODQK
[...]

carl@b:~/apd/$ for i in `ls`; do exiftool $i | grep Comment | awk '{print $3}' ; done
R2l0cy0wNTcK
R2l0cy0wMjEK
R2l0cy0yMDAK
R2l0cy0wNDMK
R2l0cy0yNDEK
R2l0cy0wNTkK
[...]

Decode the comments and we get some numbers that we can sort:

carl@b:~/apd/$ for i in `ls`; do exiftool $i | grep Comment | awk '{print $3}' |base64 -d  ; done
Gits-057
Gits-021
Gits-200
Gits-043
Gits-241
Gits-059
[...]

carl@b:~/apd/$ for i in `ls`; do mv $i `exiftool $i | grep Comment | awk '{print $3}' |base64 -d `; done

carl@b:~/apd/$ ls
Gits-020  Gits-040  Gits-060  Gits-080  Gits-100  Gits-120  Gits-140  Gits-160  Gits-180  Gits-200  Gits-220  Gits-240
Gits-001  Gits-021  Gits-041  Gits-061  Gits-081  Gits-101  Gits-121  Gits-141  Gits-161  Gits-181  Gits-201  Gits-221  Gits-241
Gits-002  Gits-022  Gits-042  Gits-062  Gits-082  Gits-102  Gits-122  Gits-142  Gits-162  Gits-182  Gits-202  Gits-222  Gits-242
Gits-003  Gits-023  Gits-043  Gits-063  Gits-083  Gits-103  Gits-123  Gits-143  Gits-163  Gits-183  Gits-203  Gits-223  Gits-243
[...]

We got stuck here for a minute, but then figured out that you could cat each of these individual mp3s together and end up with a playable mp3.

carl@b:~/apd/$ cat Gits-* > full.mp3
carl@b:~/apd/$ ls -al full.mp3
-rw-r--r-- 1 carl carl 4865279 2011-02-21 16:09 full.mp3



If you open the song in an mp3 player, you should quickly identify that it is Prodigy - One Love, from the Experience album, and also from the Hackers sound track.  If you listen through the song you will get to some dialogue from the movie where Cereal is talking about the Da Vinci virus.  At ~ 3:50 you'll hear the quote "The password for this hungry little sucker belongs to Margo Wallace".  "Margo Wallace" is repeated a number of times and "Wallace" is distorted.  Presumably they wanted us to look up the movie script and confirm.. easy stuff.


Margo Wallace is the key.
Posted by at No comments:

Ghostintheshellcode Stage 5 CCTV Forensics 250pts

Stage 5
Question: cctv
250 Points
File: cctv-88cbfd616c1ce146ca6b738772c10bea

The CCTV page has 9 animated gifs. Collect them all!

carl@b:~/cctv$ ls
code.gif  davinci.gif  destroycard.gif  game.gif  gibson1.gif  gibson2.gif  gibson3.gif  hops.gif  otv.gif

This took a long time while we tried a bunch of useless ideas.
-All of the gifs were exploded into single frames and each was checked for any watermarks or interesting information.
-We tried to find any hidden data stored between the frames.  I hear you can append a zip file to the end of a gif file and each can be opened with native tools.
-Looked for something interesting based on the timing of each frames.
-Loaded them into gimp and noticed the timing was between 0-70ms per frame, which made me think hidden octal numbers, but this was a dead end, for now.

We massaged each of the files through imagemagick over and over with no results.  At one point, I came across this page: http://www.imagemagick.org/discourse-server/viewtopic.php?f=1&t=11988 which led me to look for "ticks".  Imagemagick's identify command can show ticks if you use %T.

carl@b:~/cctv$ info="%T"
carl@b:~/cctv$ identify -format "$info" *.gif

1531521641211231061411441461531541461521411631460120001101211051441441661701721261011071011061460120014616116414516116410112310410610110614716116414401200001031621411631501451441011561441021651621561451440120014114711010712116114116314414614112413111011014101201461411231071241211041431701411471461611470120000147131121161145141146144163166170147141141147012012114514114114614116314414612110513112210516301214612116414414717112514114416614217210114614614101200

I'm pretty certain the only reason this looked interesting to me was because I saw the file in gimp earlier and 0-70ms made me think "octal".  Otherwise, I probably would have missed it. 

carl@b:~/cctv$ identify -format "$info" *.gif > file.out
carl@b:~/cctv$ more file.out
1531521641211231061411441461531541461521411631460120001101211051441441661701721261011071011061460120014616116414516116410112310410610110614716116414401200001031621411631501451441011561441021651621561451440120014114711010712116114116314414614112413111011014101201461411231071241211041431701411471461611470120000147131121161145141146144163166170147141141147012012114514114114614116314414612110513112210516301214612116414414717112514114416614217210114614614101200

Break up the string into sets of 3 digits:

carl@b:~/cctv$ egrep -o "[0-9]{3}" file.out > file2.out
carl@b:~/cctv$ more file2.out
153
152
164
121
[...]

carl@b:~/cctv$ perl octa -a file2.out
carl@b:~/cctv$ more file2.out.as
kjtQSFadfklfjasf
NULHQEddvxzVAGAFf
SOH     !1      1PNULCrashedAndBurned
SOHA9AAPfaSGTQDcxagfqg
NULFFJNLLFFLL))Q        P

The key is in octal in the ticks inside game.gif.  The key is "CrashedAndBurned".

The octa file is octala.pl from Mike Golvach: http://linuxshellaccount.blogspot.com/2008/05/perl-script-to-do-lame-encryption-with.html.  Thanks to him for his script.
Posted by at No comments:

Ghostintheshellcode Stage10 Forensics 400 points.

Stage 10
Question: Hackerlife
400 Points

John doesn't see a problem.

File: hackerlife-0b8724a229d81bbb727d27d735eaca86


The file is pretty large by itself.  It is a bzipped tarball.  Extract it out.

carl@b:~/hackerlife$ file hackerlife-0b8724a229d81bbb727d27d735eaca86
hackerlife-0b8724a229d81bbb727d27d735eaca86: bzip2 compressed data, block size = 900k

carl@b:~/hackerlife$ bunzip2 hackerlife-0b8724a229d81bbb727d27d735eaca86
bunzip2: Can't guess original name for hackerlife-0b8724a229d81bbb727d27d735eaca86 -- using hackerlife-0b8724a229d81bbb727d27d735eaca86.out

carl@b:~/hackerlife$ ls -al
total 73560
drwxr-xr-x  3 carl carl     4096 2011-02-21 11:00 .
drwxr-xr-x 38 carl carl    69632 2011-02-20 22:53 ..
-rw-r--r--  1 carl carl 75243520 2011-02-21 11:00 hackerlife-0b8724a229d81bbb727d27d735eaca86.out
drwxr-xr-x  3 carl carl     4096 2011-02-21 11:00 new

carl@b:~/hackerlife$ file hackerlife-0b8724a229d81bbb727d27d735eaca86.out
hackerlife-0b8724a229d81bbb727d27d735eaca86.out: POSIX tar archive

carl@b:~/hackerlife$ tar xf hackerlife-0b8724a229d81bbb727d27d735eaca86.out

carl@b:~/hackerlife$ file 6661024a3d7bbe441f8930e761a138f4
6661024a3d7bbe441f8930e761a138f4: ASCII text, with CRLF line terminators

carl@b:~/hackerlife$ ls -al 6661024a3d7bbe441f8930e761a138f4
-rw-r--r-- 1 carl carl 75231938 2010-12-31 00:42 6661024a3d7bbe441f8930e761a138f4

Looking at the file, it looks like an oddly formatted passwd dump.  Looking through the list, it's obviously the well-publicized dump of gawker.com users. 

carl@b:~/hackerlife$ more 6661024a3d7bbe441f8930e761a138f4
nicka ::: NULL ::: NULL ::: naster@gawker.com
Lisanti ::: NULL ::: NULL ::: tips@defamer.com
Choire ::: NULL ::: NULL ::: choire@gawker.com
Defamer ::: NULL ::: NULL ::: tips@defamer.com
gabriela ::: NULL ::: NULL ::: gabriela@gawker.com
trackbacker ::: NULL ::: NULL ::: trackbacker@gawker.com
wonkette ::: NULL ::: NULL ::: tips@wonkette.com
lev ::: NULL ::: NULL ::: tips@gizmodo.com
[...]

So, I got a hold of the actual list and compared them. 

carl@b:~/hackerlife$ more gawker.passwd
nicka:NULL:NULL:naster@gawker.com
Lisanti:NULL:NULL:tips@defamer.com
Choire:NULL:NULL:choire@gawker.com
Defamer:NULL:NULL:tips@defamer.com
gabriela:NULL:NULL:gabriela@gawker.com
trackbacker:NULL:NULL:trackbacker@gawker.com

carl@b:~/hackerlife$ wc -l gawker.passwd
1247893 gawker.passwd

carl@b:~/hackerlife$ wc -l 6661024a3d7bbe441f8930e761a138f4
1247912 6661024a3d7bbe441f8930e761a138f4


Those are pretty close.  Lets find what is different. 


carl@b:~/hackerlife$ awk -F"[: ]" '{print $1}' gawker.passwd > gawker.users
carl@b:~/hackerlife$ awk -F"[: ]" '{print $1}' 6661024a3d7bbe441f8930e761a138f4 > 666.users


carl@b:~/hackerlife$ diff -y --suppress-common-lines gawker.users2 666.users
             > havlarflake
             > dragosr
             > dino
             > dakami
             > 41414141
             > ChrisPaget
             > 0xcharlie
             > taviso
             > ero
             > thedarktangent
             > hdm
             > invisig0th
             > alexsotirov
             > mdowd
             > dionthegod
             > evilcazz
             > scarybeasts
             > egyp7
             > s7ephen

Those guys look familiar. 

carl@b:~/hackerlife$ cat users
havlarflake ::: UtTv7enb7F7eo ::: NULL ::: Rmd4@gmail.com
dragosr ::: /3EK9FFao4Pg6 ::: NULL ::: aD92@gmail.com
dino ::: V2ImDfHvvzeGM ::: NULL ::: L3d3@gmail.com
dakami ::: HH1Ib3DcdRGSk ::: NULL ::: IGtl@gmail.com
41414141 ::: S8/2fLdvnSKM. ::: NULL ::: bS93@gmail.com
ChrisPaget ::: aRHvyiutiwz3A ::: NULL ::: PThp@gmail.com
0xcharlie ::: NVDC2543t.EKw ::: NULL ::: eSBp@gmail.com
taviso ::: 6vqZ23UFznzuc ::: NULL ::: czog@gmail.com
ero ::: Alj6D38tP79g6 ::: NULL ::: YXRj@gmail.com
thedarktangent ::: 0dOYtkSGSMR4. ::: NULL ::: LmNv@gmail.com
hdm ::: TxuDvnUnk94wU ::: NULL ::: VGhl@gmail.com
invisig0th ::: hBYhGy4dotTCc ::: NULL ::: TGY4@gmail.com
alexsotirov ::: oMCKEbmr9Kcx6 ::: NULL ::: ZHZH@gmail.com
mdowd ::: TGW6yISW/Ezzo ::: NULL ::: b3V0@gmail.com
dionthegod ::: 79mrBN2Qrejrk ::: NULL ::: dWJl@gmail.com
evilcazz ::: L6D79o81B8rL6 ::: NULL ::: cDov@gmail.com
scarybeasts ::: 6/gvMSbzDN1a. ::: NULL ::: aHR0@gmail.com
egyp7 ::: boREOx6UFvQF. ::: NULL ::: Lg==@gmail.com
s7ephen ::: m4bjrTwr9hbt6 ::: NULL ::: dy55@gmail.com


Those email addresses look suspicious, especially "Lg==@gmail.com".  Anytime I see ==, I assume base64 padding.

carl@b:~/hackerlife$ cat users-original-order | egrep -o ".{4}@gmail.com"  | cut -c1-4 | tr -d '\n'
Rmd4aD92L3d3IGtlbS93PThpeSBpczogYXRjLmNvVGhlTGY4ZHZHb3V0dWJlcDovaHR0Lg==dy55

carl@b:~/hackerlife$ cat users-original-order | egrep -o ".{4}@gmail.com"  | cut -c1-4 | tr -d '\n' | base64 -d
Fgxh?v/ww kem/w=8iy is: atc.coTheLf8dvGoutubep:/htt.w.y


Rearrange the parts of the base64 string and you end up with:

carl@b:~/hackerlife$ echo "VGhlIGtleSBpczogaHR0cDovL3d3dy55b3V0dWJlLmNvbS93YXRjaD92PThpZHZHRmd4TGY4Lg==" | base64 -d
The key is: http://www.youtube.com/watch?v=8idvGFgxLf8.


If you visit that link, and you should.  You'll also find somebody has beaten you to it: 
"Wow, this URL is totally the key. Seriously. The key. The url. The key.  realnamehere 1 month ago "
Posted by at 1 comment:

Ghostintheshellcode Stage 26 BeatBoxing Packet 75pts

Stage 26
Question: BeatBoxing
75 Points
File: beatboxing-da09c691e2613581f1f4db70810c6e5c


carl@b:~/beatbox$ file beatboxing-da09c691e2613581f1f4db70810c6e5c
beatboxing-da09c691e2613581f1f4db70810c6e5c: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)

First just reviewed the dump file to see if anything stood out. I went down a few paths checking the delay between packets and any variance in the packet size, but they didnt lead me anywhere. The source and destination ports didn't seem to be of note either.

carl@b:~/beatbox$ tcpdump -nnn -r beatboxing-da09c691e2613581f1f4db70810c6e5c
carl@b:~/beatbox$ tcpdump -nnn -A -r beatboxing-da09c691e2613581f1f4db70810c6e5c


I extracted the payload using tcpflow. The only thing I noticed was the file was exactly 65535 bytes. That didn't lead me to any conclusions other than it was likely custom generated.

carl@b:~/beatbox$ tcpflow -r beatboxing-da09c691e2613581f1f4db70810c6e5c
carl@b:~/beatbox$ ls -al 127.000.000.001.42405-127.000.000.001.04242
-rw-r--r-- 1 carl carl 65535 2011-02-20 15:18 127.000.000.001.42405-127.000.000.001.04242
carl@b:~/beatbox$ file 127.000.000.001.42405-127.000.000.001.04242
127.000.000.001.42405-127.000.000.001.04242: data

After reading some other CTF write ups, it dawned on me to look for the number of occurrences of specific characters, which led me to this:

carl@b:~/beatbox$ egrep --binary-files=text -o "[A-Za-z0-9]" 127.000.000.001.42405-127.000.000.001.04242 | sort | uniq -c | sort -n

[...]
175 H
176 a
177 c
178 k
179 E
180 R
181 s
182 F
183 o
184 r
185 L
186 i
187 f
188 e
190 G
191 I
192 T
193 S
227 h
231 1
238 V
240 6
240 A
243 K
244 U
245 W
246 u
248 p
[...]


and thus the answer: HackERsForLifeGITS
Posted by at No comments:
Subscribe to: Posts (Atom)